A:
Benefits: Obviously one of the largest benefits of outsourcing IT services (and really any other kind of services) is the cost savings that can be gained. It is true that work can be done more cheaply elsewhere than in-house or even in-country. It is also saves time and resources (which again eventually turns into financial savings). It’s one less thing to keep track of, to train people on, to maintain, and to worry about. From an audit perspective, it may be one less thing that will need to be audited. In my business we don’t always directly audit outsourced services such as hosting provides. Instead we will review the SOC reports/SSAE16 reports and call it a day. That actually saves us and the business an enormous amount of work and time (which ultimately equals money). It also saves some stress.
Risks:
I think one of the biggest risks from a higher-level perspective is that you are trusting someone else with part of your company. Information that should stay confidential could be disclosed, systems could be breached due to a more lax approach to security and a lack of monitoring over that situation. Also highly worth mentioning are the communication issues. If you’ve outsourced your change management to a company in India but your other IT functions stay in-house, those two teams need to learn how to effectively communicate and work together despite working remotely and from a considerable distance (and time difference) away. There are cultural differences and language barriers that all come into play.
Ariana, I agree that a vendor’s security processes should be one of the largest concerns for a company that is outsourcing parts of its business. This is why extensive research before selecting a vendor is crucial. A company should talk to past and present clients to understand their experiences. In addition, if there were security issues in the past, a company should discuss them with the vendor to see what changes have been made after the fact to strengthen security.
Oh absolutely I agree clients past and current should be interviewed. This process is one looonnnngg job interview for the vendor that would like the contracts and there should be a full list of references provided and a good number of them should be contacted to vet them and their experiences working with the vendor in question.
Good summary for risks of outsourcing. I would like to add the risk of compliance, as well as issues arising around how to effectively measure SLA performance metrics.
Oh absolutely. When it comes to outsourcing and compliance, things can get a bit murky. If we’re utilizing a SaaS solution and the vendor is managing the DB and OS layers, how do we audit that? We can’t just go into the vendor’s office and demand all of their records and evidence. My company examines the SOC reports (SSAE16s) put out by our vendors to see what kind of findings were discovered and then we discuss what our next steps will be. If a vendor receives a “qualified” review, it may be time to start looking at someone else to provide services.
Nice Post! In addition to the benefits, it also includes risk sharing, reducing operational costs, specialized experts, concentrating on core process rather than the supporting ones, IT resources- sharing!
1. What are the benefits and risks of out-sourcing?
Benefits of Outsourcing:
Focus on core competencies
Ease of Scalability
Ease of Deployment
Lower personnel requirement
Save costs from infrastructure and hardware purchases/implementation
Lower costs for utilities
Risks of Outsourcing:
Data Security
Availability
Audit Capability
Regulatory Compliance
Confidentiality
Sean, you can also add to the list of benefit : risk sharing. In fact, outsourcing certain components of the business process helps the organization to shift certain responsibilities to the outsourced vendor. Since the outsourced vendor is a specialist, they can even plan the risk-mitigating factors better.
This is a great point. While a company should develop its own understanding as to the risks certain processes face, it should also utilize the knowledge a vendor can provide. As an organization that provides similar services to a variety of customers, the vendor can have useful insights regarding risks that were gained through experience, which the company doing the outsourcing may not have.
You are right to say the outsource provider should be an expert in the field. In finance, the experts are the people who work with numbers. Their passion is finance, not technology. The expertise and experiences of the outsource provider, good and bad can be used to your advantage. If they have been around and providing the solution for awhile to similar companies, they will have already fixed many of the mistakes they made during the growing pains of the company
Sean one Risk of outsourcing that you could add would be that when you outsource, you risk losing touch with your processes and the skills that come with those processes that your company outsourced. One to cope with this risk is to stay involved and learn the techniques that the company you bring in employ to enhance your process.
I considered adding that, and should have with a couple exceptions. I think many companies outsource functions and processes because they didn’t have the experience needed to do the job themselves, so those businesses would not be “losing touch” with something it never had. Also, some businesses outsource functions and processes simply because they don’t want to waste any resources focusing on anything other than its core competencies. Both cases wouldn’t be missing out on those skills outsourced necessarily. I do think your addition is a great point, and I should have added it originally with those exceptions.
Nice Post! In addition to the risks, it also includes dubious accessibility, loss of personal touch, substandard security protocols, risks and exposing confidential data, hidden costs, and lack of customer focus.
2. What controls can be implemented to mitigate the risks associated with outsourcing?
Detailed and specific Service Level Agreements (SLA’s) can be implemented when contracting 3rd party services. The ability to audit controls, or agreement on a 3rd party external auditor under SOX 404, can provide assurances of controls to the business. Service metrics can be agreed upon to provide concrete availability measurements to ensure service levels are met at all times. Insurance policies can be purchased to provide coverage for any failures with data security that the business is responsible for.
Definitely agree on service metrics.
I remember reading that many companies that outsourced parts of their own internal IT to a service provider a number of years ago and have since procured IT services externally, subsequently in many cases find themselves subjectively dissatisfied with the services they receive. Why? because no objective metrics for the quality of the services to be provided have been agreed, or that such metrics could not be agreed due to a lack of historical data.
That is an interesting predicament. I wonder if they could gather data from vendors through solicitation and figure out how to baseline their own services with the information Vendors would probably have the best metrics and measurements because their business is the industry of supplying services, and because of that they would probably have the best gouge on how to properly measure what they provide. Again, that really is an interesting thought.
The service metrics is good measure of SLA , the challenge is how accurately measure SLA in outsourced environment . Monitoring outsourced services for uptime is mu8ch easier than monitoring service response time.
one way we can do is to require vendors to meet security standard and monitor with effective auditing, review and approve business continuity and disaster recovery plans of the vendor. if the vendor is international, we need to increase cultural awareness through specialized trainings to avoid the problems from cultural differences.
3. Explain common SLA issues identified by auditors
– Key Performance Indicators are not properly identified or set at a proper minimum level
– Control frameworks are not properly specified when required
– Regulatory compliance specifications are not set, or not properly set
– 3rd Party performance level assurance not available
– Penalties not set for under-performance or failure to meet requirements of business
– No right to audit granted to business (may not be granted to businesses that aren’t large source of revenues)
– No right to audit 3rd party service assessments
– No clause prohibiting vendor from using the businesses data for its own purposes
– Non-disclosure clause missing
– Proper review by legal personnel not completed
– No formal policy for vendor selection
– No formal policy for SLA creation, maintenance, and/or updating
– Is a proper policy set for vendor selection?
– Is a proper policy set for creating, maintaining, and updating SLA’s?
– Is the SLA reviewed by legal personnel prior to signing in agreement?
– Is the vendor audited by an external 3rd party independent auditing firm?
– Are results from independent service level assessment available for review?
– Do vendor personnel have access to the business’s internal network?
– How is the business’s data segregated from other companies data?
– Is encryption used for the business’s data at rest, in use, and in motion?
– What physical security processes are in place for where the data is stored?
– What logical security is in place where the data is stored?
– Does the vendor have a DRP and BCP in place? Is it updated?
– Does the vendor carry a current and properly valued insurance policy/bond?
– Does the vendor and SLA stipulate backup procedures?
– Are backups stored onsite or elsewhere?
1. What are the benefits and risks of out-sourcing?
Benefits: risk-sharing, reducing operational costs, specialized experts, concentrating on core process rather than the supporting ones, IT resources-sharing
Risks: dubious accessibility, loss of personal touch, substandard security protocols, risk of exposing confidential data, hidden costs, lack of customer focus.
Yulun, what do you mean by loss of personal touch? Do you mean loss of personal touch on the product, processes, activities, and workload?
I like how you put risk of exposing confidential data because the company you bring in to take over work may have access to your confidential data. Also, that company could use the expertise they learn from taking over your workload and processes to become a competitor.
Thank you for your response Ian. What I am trying to say about loss of personal touch is outsourcing will influence to IT experts because they think they can handle it with familiarizes of the networks or processes they work for.
Agree with you, but I want to mention that there also have some drawbacks of outsourcing.
firstly, you will lose the managerial control. and there is some hidden cost when some legal issue come up due to the service or product provided by 3rd party. As well, some quality problem would come out.
2. What controls can be implemented to mitigate the risks associated with outsourcing?
by mitigating the risks associated with outsourcing, we need to consider a detailed study about vendors including current processes, customer references, rather than blindly believing the track record. Another way we can do is to require vendors to meet security standard and monitor with effective auditing, review and approve business continuity and disaster recovery plans of the vendor. if the vendor is international, we need to increase cultural awareness through specialized trainings to avoid the problems from cultural differences. https://blogs.oracle.com/sathyan/entry/top_20_risks_in_outsourcing
Overall, I think due to the loss of control (real or perceived) when hiring an outsourced IT provider. It is important for businesses to put together an agreed-upon plan with their IT providers ( that the best way to mitigate outsourcing risk in my opinion). the plan can include :
Timelines for meetings
Updates and issues that the provider or business owner(s) might be having.
Any pertinent changes or inabilities with either party to help meet business and operational goals.
Identifying key staff to be in touch with the IT provider(s).
In addition to reviewing the vendor’s business continuity and disaster recovery plans, I believe the company doing the outsourcing must also ensure it has its own BC/DR plans. The difference between the two would be that a company’s business continuity and disaster recovery plans would focus on the required course of action if a vendor were to cease operations long-term (or even permanently). While the probability of such a thing is usually low, there is still a chance that a vendor can stop operating due to events unforeseen by one or both parties (e.g. going out of business, environmental disaster, terrorist attack, etc.).
4. Outsourcing and SLA audit questions
What service levels will you include in the SLA?
What, exactly, will each service level measure?
How will actual performance be measured?
What will the measurement period be?
What reports will the supplier provide?
How well will the supplier agree to perform?
Will the minimum and expected service levels change over time?
Will the SLA include service-level credits?
Will the supplier have the right to service-level bonuses?
What other options will the customer have in the event of service-level failures?
I like the question you presented in “Will the supplier have the right to service-level bonuses?” Incentivizing the vendor to produce service levels beyond their minimum promised could be very beneficial to a business. The bonuses could even be more business conducted with the vendor as opposed to a traditional bonus of extra money. Even if the bonus levels aren’t hit, or aren’t hit constantly, it may be just the ticket to get a vendor to try and perform even better for a business.
What are the benefits and risks of out-sourcing?
Benefits-Save Money
While companies that outsource IT services enjoy many benefits, saving money is one of the most compelling reasons for doing so. Outsourcing helps control capital outlay, especially in the early years of operations. IT services make up fixed costs for companies that do not outsource. Businesses that choose to outsource IT, whether offshore or through a local contractor, convert those fixed expenses to variable ones, freeing up capital for use in other areas. This makes the business more appealing to investors, since the company has more capital to funnel into areas of operations that directly produce revenues.
Risk-Loss of Personal Touch
An in-house network administrator becomes intimately familiar with the eccentricities and unique characteristics of the network he manages. Because of this, he is able to deliver results more efficiently, quickly and personally. IT outsourcing can never provide a personal touch that comes close to that of an in-house IT specialist. Many managers reject the thought of giving this up, even though they can save money by outsourcing.
I am on the fence about the risk of loss of personal touch. Usually, the business process that is outsource are the supporting processes. These processes are definitely essential to run the business but are limited on how much “personal touch” can be placed on these units. By outsourcing these processes, companies can focus on their core business process where “personal touch” plays a much bigger factor.
Wenlin, not sure if I also agree with you on the personal touch for the risk of out-sourcing. It is different and I can see where you are coming from but saving cost is what companies are mostly after and it is true, you can build it in house but that would take tremendous time and will cost the company in all areas. Outsourcing would help reduce those cost and time. I remember working as an Associate App Developer and the company had outsource some of the jobs over to India and that helped a lot with saving them on cost. They were able to provide customer help at all times of the day and while those of us sleep during the night in the U.S., those outsource resources are up working.
What controls can be implemented to mitigate the risks associated with outsourcing?
Pick a transparent vendor with proven risk management processes.
There are a large number of vendors out there, and most will claim that they have risk mitigation practices in place. While you’re choosing your strategic partner, make sure to ask them how they have managed similar problems before.
Make sure your entire team knows what outsourcing entails.
Outsourcing is not a quick-fix. It takes time, and while you may have chosen the best vendor in the world, the project is still at risk of failure if your team does not know how to cooperate and communicate with your new team of remote professionals. Make sure the entire team knows what is going on, what outsourcing will bring, and what changes to expect. Offer some training before the outsourcing venture begins. Above all, make sure your entire team is on-board, not just the management.
Use appropriate communication channels.
Even when everyone knows how the outsourcing relationship is likely to proceed, there is a chance that an e-mail will go unread, a memo will be missed etc. There are many communication channels available, e-mail is an obvious one, but incorporate communication through channels such as Skype and GoMeeting. Also make sure to share information by setting up a common VPN or using a custom cloud solution. Pick two or three things that will do best
Resource: http://intetics.com/blog/outsourcing-risk-management-loss-of-visibility-and-control/
Wenlin , I like that you mention that companies should ” Pick a transparent vendor with proven risk management processes”. In fact, a way to eliminate some of the risk when hiring an outside IT provider is for a business to do their homework. Most IT provider will claim to ensure high quality, but where’s the proof? Organizations shouldn’t hesitate to speak with at least three-to-five of the IT provider’s clients, current and past. Past clients are especially important to speak with because they have nothing to lose by telling the truth.
Wenlin, I really like the second control you mentioned. As with any business relationship, outsourcing success is dependent on the cooperation of both parties. Training for employees on the various issues that can result from outsourcing, such as remote collaboration and cultural differences, should be started before outsourcing begins. This will allow for a smoother transition and can remove some of the obstacles to a good working relationship.
Sub-contracting can be another important issue to consider when outsourcing. It would be important to know if and whom the contractor might hire. There may be some areas that are sensitive and would not be appropriate to outsource a second time, or the contractor may not be reliable. It would be important to research and find out any sub-contracting policies.
Explain common SLA issues identified by auditors
• Availability and timeliness of services;
• Confidentiality and integrity of data;
• Change control;
• Security standards compliance, including vulnerability and penetration management;
• Business continuity compliance; and
• Help desk support.
• What audit worksheets are going to be used?
• Do you want the auditor to use your standard audit worksheets or are you are open to using theirs?
• What support is needed to monitor and track corrective actions that must be established?
• Will you want the auditor to follow up on corrective actions to verify effectiveness? http://www.quality-auditing.com/auditing-white-papers/outsourcing-the-internal-audit-process/
Wenlin, you could also asks questions involving the quality of the work. Along those same lines, youc ould ask questions involving the benchmarks and goals that the company will reach. If they do not reach those goals, there could be penalties or a cheaper price to pay them. That way you can hold the company to a certain set of standards to the work that they will achieve for you.
Of course, I agree with you. some company did not research, so the SLA may hard to achieve their goals. Using the benchmarks and goals can help the SLA more effective. And the penalties can prompt the company to achieve the SLA goals.
1) What are the benefits and risks of out-sourcing?
Benefits of outsourcing
• Better revenue realization and enhanced returns on investment
• Lower labor cost and increased realization of economics of scale
• Opportunity for innovation
• Frees management time, enabling companies to focus on core competencies
• Increases speed and the quality of delivery of outsourced activities
• Reduces cash outflow and optimizes resource utilization
The risks of outsourcing
• Possible loss of control over a company’s business processes
• Problems related to quality and turnaround time
• Sluggish response times coupled with slow issue resolutions
• Lower than expected realization of benefits and results
• Issues pertaining to lingual accent variation
Good explaining. Organizations use outsourcing as a strategic initiative to improve customer service, quality and reduce costs. Outsourcing can be a permanent or temporary arrangement to bridge the gap in staffing, to learn better quality techniques or improvement of faulty product design.
The risks of outsourcing
• Possible loss of control over a company’s business processes
• Problems related to quality and turnaround time
• Sluggish response times coupled with slow issue resolutions
• Issues pertaining to lingual accent variation
Mitigation plan associated with the above risks :
• Well planned milestones, immediate deliverables along with appropriate documentation plan.
• Agreed upon standards and processes must be part of the binding contract.
• Flexible shits to respect time-zones and increased frequency of meetings.
• Increased cultural awareness through specialized trainings
Too Complex. These documents are not usually short and precise in defining the services the supplier provide and the level of service the supplier and their customers agree on.
No measurements. If you do not have the technology and tool sets to track and report the timed-service events by responsiveness and resolution for the various severity level classifications, then SLAs will fail. Without continuous feedback on performance, the loop is incomplete and the SLAs become documents and nothing more.
Unrealistic management expectations. Often management does not acknowledge the amount of time needed to implement service level management, and therefore they do not staff it adequately.
Unrealistic objectives and goals. Frequently, IT management and customers set unrealistic objectives and goals. This usually happens because there were inadequate measurements done prior to implementing the SLA.
Are management requirements and expectations clearly defined in the contract?
Do policies regarding purchased services, and, in particular, third party vendor relationships exist?
Were vendor selection processes followed?
Do contract reviews and approval processes exist and were they followed?
Were existing contractual impacts considered?
Are customer service levels defined?
Are responsibilities of users and providers defined?
Does the outsourcer have adequate back-up procedures?
Are security requirements clearly defined in the contract?
I think all the questions you suggested help the auditors determine the conditions, pros and cons of the SLA. And I especially like the one that asks the back-up procedure of the outsourcer because if they don’t have it, it would be a risk for the company.
What controls can be implemented to mitigate the risks associated with outsourcing?
• Adopt a thin-client approach which allows you to mitigate the risk while saying compliant to the Data Protection Act
• For organizations that outsource parts of their business, there is a risk of losing their core skills as they become more reliant on the outsourcing supplier. Keep control and retain influence over what you accomplish by Identifying and retaining your own special core skills and keep control of technical roadmaps and design.
• Carry out your end of the due diligence on site by working with the outsourcing supplier’s people to gain an understanding of their technical and procedural processes, and check the company’s controls are embedded in its processes. Specific control: ask suppliers to sign up to certain standards, levels of vetting for staff, level of physical security, and guarantees about how they run their operations. “occasional site visits at suppliers deemed to be high risk in order to evaluate their security and data protection controls”
• Gain an understanding of their technical and procedural processes and check the company’s controls are embedded in its processes in order to learn how to do what you outsource yourself. This mitigates the risk if something would happen to the company that you outsource the work to. Learn the process to understand where in that process flow something could go wrong, and if any of those steps are outsourced, what role suppliers may play in a failure.
• “Think strategically about their risk appetite for outsourcing certain functions” “Maybe their strategy is that they won’t outsource something because it’s just too risky. That’s a form of mitigation, too.”
The Pros of Outsourcing
• Increased revenue and returns on investment
• Lesser labor cost
• Improved realization of economics of scale
• Knowledge base for better innovation
• More management time – enables management to focus on core competencies
• Increases speed and the quality of delivery of outsourced activities
• Reduces cash outflow and optimizes resource utilization
The Cons of Outsourcing
• Possible loss of control over a company’s business processes and activities
• Problems related to quality and turnaround time
• Sluggish response times and at times slow issue resolutions
• Shortcomings in performance
• Lower than expected realization of benefits and results
• Issues pertaining to lingual accent variation
• An irate customer base coupled with enraged employee unions
Explain common SLA issues identified by auditors
• Availability of service;
• Unrealistic Expectations
• Too complex for general employees
• Resource allocation
• Micro management of agreement
• Process mismanagement
• Change control issues
• Compliance
• Confidentiality and integrity of data;
1.Am I doing this because I want to simplify my life, or offer the market something new?
2.Am I doing this so I can “focus” on my “core” business?
3.How will this advantage me versus competitors? Would emerging competitors do this?
4.Can competitors do what I’m doing? Can this lead to a price war?
5.How will this make me more competitive in 10 years?
6.How will this make me more connected to markets?
7.How will this make me more flexible to deal with shifting markets, and how will I exploit this flexibility?
8.Am I doing this because I’m desperate to cut costs?
9.What could I be doing instead of outsourcing to be more competitive?
Benefits of out-sourcing:
First of all, out-sourcing can significantly decrease the cost. For example, if a car manufactory wants to produce a new model of vehicle, it’s not necessary to produce every parts of the vehicle, but outsource some of them to other manufactories. Moreover, this can also save time for the company.
Risks of out-sourcing:
The most significant risk is the information security. Still using the example of the car manufactory, if it decides to outsource some parts of the specific model of vehicle, the company needs to share the designs of those parts to the outsourcers, which means the outsourcers are able to gain the design of the parts of the vehicle.
What controls can be implemented to mitigate the risks associated with outsourcing?
Risks:
1. Security breach including confidentiality, IP and trade secrets.
2. Infrastructure breakdown (software/hardware/network failure).
3. Poor selection of vendor.
4. Poorly designed disaster recovery systems/ processes.
Controls:
1. Require vendors to meet security standards and monitor with effective auditing.
2. Consider a detailed study about vendors including current processes, customer references etc.
3. Review and approve business continuity and disaster recovery plans of the vendor. Audit data from simulated disaster drills.
A service level agreement (SLA) is defined as a contract between a service provider and a customer. However, things can get confusing when creating an SLA policy if you’re not seeing it work as expected. For example, a newly created SLA policy may not apply to existing tickets, or an updated SLA policy is not applied to tickets already using that SLA. Also, the SLA may has some other issues like:
– SLA applied only to some tickets
– First reply time metric not working
– SLA not paused when ticket status is pending
– Target hours showing incorrectly
– Are management requirements and expectations clearly defined
in the contract?
– Do policies regard purchase services, and, in particular,
third party vendor relationships exist?
– Do clearly defined benefits and business purposes exist to support
the decision to outsource?
– Do contract reviews and approval processes exist and were they
followed?
– Are transition plan, with completed requirements from all affected
Entities, completed?
– Are we compliant to warranty requirements?
– Are customer service levels defined?
– Are responsibilities of users and providers defined?
– Has outsourced function/operation allowed the customer service levels to be maintained or improved?
Source: Outsourcing, Audit program & Internal control questionnaire. www. Isaca.org
Nice recap SLA auditing concerns, however one auditor’s major concern is lack of documenting SLA measurable metrics like availability, performance, response time, location of data, issues resolution process, and other measurable quality of services metrics. Another concern is related to outsourcing vendor’s security practices and compliance with regulatory standards.
The benefits of out-sourcing:
– Fast assistance
– Expertise in that particular subject
– Cheaper (less employees, hardware, space, etc.)
– Focuses on competencies
The risk of out-sourcing:
-Risk sharing
-Substandard Security Protocols
-Out-sourced company’s objects align with companies
-Confidentially
-Accessibility
You listed risk sharing as a disadvantage of outsourcing. Based on the sources I read, risk sharing is listed as an advantage instead. Outsourcing helps shift certain responsibilities to the outsourced vendor. Since they are specialists, they able to plan risk mitigating factors better. Obviously, this varies based on vendors as some are better than the other but ideally, that should be the case.
I agree with you Yang, outsourcing vendors are the experts in the field and they should have the highest security level and plan to mitigate the risks. Companies are basically transferring risks but they should still be responsible for the outsourced functions.
Nice summary Magaly, I believe the biggest outsourcing risks are SLA and security. There are several issues around managing SLA in outsourced environment including performance metrics , measuring basis for SLA. Security risks are another crucial component due to lack of direct control of enterprise over vendor’s security process.
1. SAVE MONEY- I believe the greatest benefit of outsourcing is saving money, no matter which service are company out-sourcing. Outsourcing helps control capital outlay. In addition, outsourcing IT services to a company that specializes in business networks and support will alleviates some of its expense compare with businesses that perform operations internally.
2. FOCUS ON CORE OPERATIONS- Outsourcing allows company’s management to focus their energies on their competencies. It could be stressing when mangers have to split their energies between activities that engage prospective customers and concerns with operations outside of the core business objective.
3. IT RESOURCE SHARING- Outsourcing IT system and service create balance between small firms and large enterprises by sharing the IT resources. Often time small companies might not have the budget or resource that large companies have to implement IT systems and services they need.
Risks of out-sourcing
1. DUBIOUS ACCESSIBILITY- When there is critical system failures, the IT contractor might not be able to devote attention to the issues and resolve them right away. This will lead to loss of productivity and possibly decrease in revenue.
2. LIMIT UNDERSTANDING OF IT SYSTEM/SERVICE- Because the IT System and Service is outsourcing, the administrator is not able to deliver the results of the IT system implemented efficiently. There is lack of “personal touch”.
3. SUBSTANDARD SECURITY PROTOCOLS- Especially for offshore companies run from foreign countries, must confirm that the outsourcing company has strong security protocols. Some foreign country may not have laws to protect its intellectual property or other private data, so one should be very cautious in picking outsourcing company.
Wen, I liked your first point for the risk-outsourcing and how its dubious accessibility. When working as an Associate App developer I faced an issue like that. The outsource team had a project sign out and I needed access to it and also needed to know exactly what they have change to it. I couldn’t get in touch with them since they were sleeping since it was a different time zone. My work got delay since the Administrator was not able to sign the project over to me and I could not work on an old copy since the changes the outsource member made might have been needed. So I had to work on something different and it delay my project time because of these issue.
What controls can be implemented to mitigate the risks associated with outsourcing?
A: Some controls can be implemented to mitigate the risks associated with outsourcings:
-Research the outsourcing company in details including current processes, whether or not it has laws to protect its intellectual property or other private data (preventive control).
– Have recorded videos, tutorials, web casts to transfer knowledge to preventive inability to capture what outsourcing company has implement for the company (preventive control).
– When doing business with a foreign country, make sure to have some basic understandings of how that country doing business. Learn and increase cultural awareness is very important to avoid issues from cultural difference (preventive control).
– Visit the outsourcing company in timely basis to make sure everything is good in control (detective control).
-Review and approve Business Continuity of the outsourcing company, always have disaster recovery plans (corrective control).
good post, learn a lot from your comments.
The most common view of outsourcing appears to be that the concerns generated by giving up control override any sense of relief at not having the day to-day operational responsibilities. This trend may result from perceptions regarding the different goals and attitudes of internal and external staff towards service, profits, and survival. Clearly much of the concern stems from customers’ suspicions, which may be justified, that the outsourcer does not have the same level of commitment to meeting service requirements as an internal group.
Q1. What are the benefits and risks of outsourcing?
Some benefits of outsourcing include:
-Cost savings
-Resource savings
-Access to expertise
-Scalability
-Time zone advantage
Some risks of outsourcing include:
-Decline in product/service quality
-Protection of intellectual property
-Dependence on vendor
-Regulatory/Legal compliance
-Availability of product/service
Q2. What controls can be implemented to mitigate the risks associated with outsourcing?
-Research: A company should complete a detailed analysis of potential vendors for outsourcing, having an understanding of their offerings, costs, and history, so it can make an educated decision regarding where it wants to outsource.
-Service Level Agreement: A detailed and specific SLA can set the expectations and ensure that both parties are understanding and agreeing to the same thing. This can reduce quality and legal risks.
-Reviews: Timely and regular reviews of third-party vendors and outsourced operations can help ensure that performance measures are still being met and that a company can still confidently do business with them.
What are the benefits and risks of out-sourcing?
The benefits of outsourcing are mainly cost savings, potential increased efficiency, in addition to offloading outsourced services to skilled providers.
The outsourcing risks are:
– All the compliance risks the business manages with in-house service will still be managed with outsourcing vendor.
– Outsourced Application/Infrastructure/Network in terms of availability/updates/Security/backup/restore risks
What controls can be implemented to mitigate the risks associated with outsourcing?
– Establish agreed upon SLA including availability, outage events handling procedure.
– Establish process for regular communication particularly when outsourced application experience availability/security events.
– Establish confidentiality agreement and Non-Disclosure Agreement (NDA) to protect enterprise data handled by outsourcing vendor.
Explain common SLA issues identified by auditors
– SLA may not clearly document expected availability, performance, response time, location of data, issues resolution process, and other measurable quality of services metrics.
– SLA may not document infrastructure and security standards used by outsourced vendors.
– SLA may not be in line with enterprise business goals.
– SLA may not define all compliance requirements that outsourcing vendors have to comply with, process to communicate yearly compliance updates.
– SLA may not have exit process to move outsourced services to another provider should business decide to move with another vendor.
– How to independently measure SLA for internal reporting as opposed to SLA numbers provided by outsourcing providers.
– SLA may not provide details on governance processes like Change Management, BCP , DRP.
Outsourcing and SLA audit questions
– Do you have business management expectations defined in SLA agreement?
– Does business have internal policies on how to manage SLA risks?
– Does the outsourcing contract include expected availability, performance, response time, location of data, issues resolution process and other measurable quality of services metrics.
– Were there any transition plan to outsourcing provider and exit process.?
* Can save money
* Control expenses
* Access to capabilities not internally available
* Focus on core operations
* Use IT resources on closer to business functions
* Access to first rate software/capabilities
* Share risk
Risks
* Loss of business/institutional knowledge
* Accessibility
* May not be ass familiar with system or business
* Substandard security/procedures
* Regulatory compliance
* Sub-contracting
* Some functions cannot be outsourced
The benefits of outsourcing are:
• Increased control of your business
• Increased efficiency and productivity
• Ability to streamline business operations
• More flexible to change
• Reduced operational costs
• IT resource sharing
The risks of outsourcing are:
• Hidden costs, for example, legal costs while signing contracts between companies
• Misunderstanding the contract
• Renewing contracts
• Product or service quality may suffer therefore customer service may be affected
• Transition phase may fail if schedules and budgets are not reached
• Potential redundancies may occur affecting the quality of work by employees
What are the benefits and risks of out-sourcing?
Benefits
-Cost saving for the company since instead of using their own resources or money to buy equipment, they are outsourcing to an outside company to do it. That way they are saving on storage, equipment, personnel, electricity etc. They are then able to invest that money into something else. Outsourcing companies can provide the service they need and if they outsource to companies overseas then they could be saving a lot more money but also help people in those countries get jobs.
Risks
– Access to companies personal information is a huge risk factor when working with outsourcing companies. Companies are providing information and outsourcing firm employees are able to access information within the company and if there are no measures in places or barriers establish to limit what they are able to get access to, then that could be a huge issue. They would be able to access information and even change information in the system. There is also the risk of leaking personal information about the company early which could cost the company money. Those are some of the risk factors that comes with outsourcing to an outside company.
Benefits:
1. Save money, manpower and time
2. Can focus on core operation
3. Swiftness and Expertise
Risks:
1. Risk of exposing confidential data
2. Have to deal with the relationship with the outsourcing partner
3. Lack of expertise in the long term
4. Quality service
What controls can be implemented to mitigate the risks associated with outsourcing?
Access controls can help mitigate the risk associated with outsourcing. Specifically the access controls that provide users authority to be able to make changes to certain databases. I remember when working as an Associate App Developer I would have to submit a request to access certain databases and it would have to get approved by 4 different managers before I received access. So putting a control like that in place for outsourcing companies will reduce the risk of them getting access to companies personal information. They will get access to what they request and if there are any changes, then you know who had the access and who made the changes so there is a paper trail in place also. This will greatly reduce the risk.
What controls can be implemented to mitigate the risks associated with outsourcing?
In case of pool outsourcing vender selection, they company can conduct a detailed study about the vendors about current processes, customer references. They have to select the best quality outsourcing vendors since they are performing important business. Furthermore, data breach may often happen to outsourcing partner, it is especially significant for them to meet the security standards and monitor with effective auditing. Companies should also increase the awareness about region specific laws and regulations to better plan to incompatibilities and allowable trade offs to mitigate legal and regulatory risks.
A service-level agreement (SLA) refers to a contract between a service provider and its internal or external customers that documents what services the provider will furnish and defines the performance standards the provider is obligated to meet.
the issues identified by auditors:
1. Confidentiality, Integrity and availability of service provided by SLA
2. compliance issues
Outsourcing is the transfer of specific business processes from one organization to another organization specializing in that business process. Most organizations cannot handle all aspects of a business process internally due to lack of expertise or high operating cost. Once the task is outsourced to the service provider, it will take the responsibility of carrying out the tasks and maintaining the business process.
However before outsourcing any component of your business, it is important to understand the advantages and disadvantages of outsourcing.
Benefits:
Expertise – Vendors that provide outsourcing service usually specialize in that field. They have specific equipment and technical expertise that are usually better than the outsourcing organization. This enables them to complete that business process much more effectively, efficiently and at better quality.
Focus on core process rather than supporting process –By outsourcing supporting process, the organization can focus more time and resources on improving their own core business that actually helps raise their revenue.
Risk Sharing – Outsourcing helps shift certain responsibilities to the outsourced vendor. Since they are specialists, they should be able to plan risk mitigating factors better.
Reduced Cost – Operational and recruitment cost can be reduced since the organization does not have to hire and operate in-house.
Disadvantages:
Risk of exposing confidential data – An organization will have to expose confidential company data if the outsourced business process that requires those information.
Potential setbacks – Sometimes, organizations may choose the wrong vendor. This can lead to unsynchronized time frames, low quality output and mix-up in responsibilities.
Lack of customer priority – Often times, outsourcing service vendors have multiple organizations that they cater to at a time. They focus their attention on the bigger clients instead of their smaller ones.
– There are no proper Key Performance Indicators so the service provided cannot be monitored or audited.
– There is a lack of control frameworks which expose the organization to threats
– There are no penalties set for under-performance or failure to meet requirements of business
– No agreement of confidentiality that prohibits vendor from using the businesses data for its own purposes or exposing the data.
– Lack of formal policy for SLA updates.
Does the SLAs adequately evaluate the effectiveness of the services to be delivered by the vendor?
Does the SLA have quantitative and qualitative metrics that measures the effectiveness of the service? Are they reasonable and measurable?
Is there a clearly defined customer service level?
Is there a required level of security control?
Are there penalties for under-performance or failure to meet requirements of business?
Is there a confidentiality agreement?
Is there a formal SLA update policy
How will actual performance be measured?
How frequent should we review the outsourcing performance?
What does outsourcing cover?
Cost, risks, time period, working hours, contract terms
Outsourcing vendors and location
What controls can be implemented to mitigate the risks associated with outsourcing?
First of all, the company should research all vendors and choose the one that fit the best to the company. Then, the company should require the vendor to meet security standards and monitor the vendor with effective auditing. It can also review and approve Business Continuity and disaster recovery plans of the vendor.
What are the benefits and risks of out-sourcing? And What controls can be implemented to mitigate the risks associated with outsourcing?
The first thing I would mention is the difference between On-shore outsourcing and off-shore outsourcing. On-shore means the business function is performed in the United States or where the client is located. Off-shore means the function is performed in another country. There are different risks and benefits associated with each and different functions that can be outsourced.
Adesanya Ahmed wrote a whitepaper, Using COBIT to Manage the Benefits, Risks & Security of Outsourcing Cloud Computing.
The benefits listed were: Cost Controls, Improved Productivity, Availability, and Resiliency. The benefits are well known and we hear about companies moving certain functions outside the organization. However, there poses risks that may outweigh the common cost and production benefits.
Risks Include:
Loss of Governance or Control. By outsourcing the function, they are giving control of the process to an outside organization. To mitigate this risk requires full transparency and communication. Documentation on the policies, procedures, responsibilities, and consequences should be available for review.
Compliance: Rules and Regulations are changing to protect consumers from fraudulent actions. Certain industries are governed by industry regulators, who require specific actions and controls to be enforced. Proper procedures should be outlined in the SLA and reviewed with the service provider prior to signing. A right to change the contract should be included in the contract in the event the governing body changes the rules and/or regulations during the terms of the contract.
Data Protection: What is the service provider’s encryption methods? Are penetration tests conducted to pinpoint intrusion areas? Multi-level authentication and enhanced data protection are needed to mitigate these risks.
Provider Selection: The 3 previous risks mentioned all fall on the Provider Selection. This risk is associated with the 3 previous risks. It is important to put out a detailed Request For Proposal (RFP) and allow multiple vendors to bid on the project. The vendors should be directed to the procurement department for proper verification, and to be added to the vendors list. Each proposal should be reviewed and discussed with the vendor to determine if the services needed can be accomplished.
Even with all of the “T”s crossed and “i’s” dotted, there are still issues associated with an SLA. ISACA points out a few risk drivers with Service Level Agreements.
1. Failure to meet expectations
a. Both you and the service provider may have every intention to meet the obligations of the SLA, but unforeseen things happened and for whatever reason, the expectations were not met. There should be an “out” clause in the SLA and a documented process on how “the break-up” will work.
2. Inefficient and ineffective use of service delivery resources
a. This reminds me of a cartoon where a hunter is using a B.B. gun to hunt an elephant. You could even use an example of an elephant gun to hunt birds. The service provider may have a great solution for your industry, but if all employees aren’t using the solution, or if it isn’t meeting the requirements, then the SLA is worthless because the solution doesn’t work.
What industries do you service?
How long have you been in business (Reputation)?
Where are you located or What office will be associated with our company?
What is the response time?
What are your controls (Physical, system, people, ect.)
Do we get a dedicated solution or are we just another client?
And, How much does it cost?
-Does the outsourcer have adequate back-up procedures?
-Does the outsourcer have adequate physical access controls and
administration and maintenance?
-Is vendor performance monitored?
-Will the SLA include service-level credits?
-Are billings and payables verified to the contract for validity?
Good post, One of the main reasons to outsource is the expectation of receiving better service
from the outsourcer than from internal staff. This expectation is often based
on the knowledge that there will be an explicit SLA in place, which can be
enforced by the customer and which might bear remedies against the outsourcer
for nonperformance. While companies are increasingly establishing SLAs for
internal providers, they are often harder to enforce since everyone is a member
of the family.
Risks:
Logical IS Security
Total Dependence and Exit Barriers
Legal Consequences
On-time Delivery Performance
Product or Service Quality
Financial stability of Outsourced Vendor
Benefits::
Cost compared to internal resources
Expertise in specific function
Quicker to market vs buiding out a new division or unit
What controls can be implemented to mitigate the risks associated with outsourcing?
Contracts
Statement of Work
High Level Monitoring
Connectivity and Network Security
Data Security
Project Monitoring and Governance
Compliance with Regulatory Requirements
Benefit Measurement
Customer Satisfaction
Impact on IT Strategy
Some common concerns is that outsourcing the project or function may be unrealistic due to a number of issues, including that it is too complex. Additionally unclear measurements of service level agreements and performance against those agreements are defined therefor it is impossible to determine if it is an effective solution. Some additional concerns would be process fraud, prioritization of projects, escalation processes etc.
Outsourcing is a practice in which an individual or company performs tasks, provides services or manufactures products for another company — functions that could have been or is usually done in-house. Outsourcing is typically used by companies to save costs.
Benefit:
1. reduce cost/ internal headcount
2. Internal capacity is constrained by increasing market demand makes the company meet the internal manufacturing requirements
3.increase the efficiency When you outsource your business needs to an outsourcing partner, they bring years of experience in business practices and expertise in delivering complex outsourcing projects.
Risks:
1.Logical IS Security
2.Total Dependence and Exit Barriers
3.Legal Consequences
4.On-time delivery performance and end-customer satisfaction levels may decline because of delays at third parties
5.Product or service quality may also suffer in outsourcing, affecting customer satisfaction.
6.The outsourcing transition phase may also fail if schedules and budgets are not achieved because of insufficient planning and/or resources.
7. Providers may not be financially viable, thereby exposing the company to supply interruption risk.
What controls can be implemented to mitigate the risks associated with outsourcing?
1.Contract
2. Statement of Work (SLA)
3.High Level Monitoring
4.Connectivity and Network Security
5.Data Security
6.Project Monitoring and Governance
7.Compliance with Regulatory Requirements
8. Benefit Measurement
9.Customer Satisfaction
10. Impact on IT Strategy
A service level agreement (SLA) is a contract between a service provider (either internal or external) and the end user that defines the level of service expected from the service provider. SLAs are output-based in that their purpose is specifically to define what the customer will receive.
The below shown is the common SLA issues:
1. There are no Key Performance standards so the service cannot be monitored.
2.There is no control frameworks which expose the organization to threats
3. There are no penalties set for failure to meet requirements of business requirement.
4. No agreement of confidentiality that prevent vendor from using the businesses data for its own purposes or exposing the data.
5. Lack of formal policy for SLA updates
What are the benefits and risks of out-sourcing?
Outsourcing most commonly known as offshoring has pros and cons to it. Most of the time, the advantages of outsourcing overshadow the disadvantages of outsourcing.
Benefits:
1. Swiftness and Expertise: Most of the times tasks are outsourced to vendors who specialize in their field. The outsourced vendors also have specific equipment and technical expertise, most of the times better than the ones at the outsourcing organization. Effectively the tasks can be completed faster and with better quality output
2.Concentrating on core process rather than the supporting ones: Outsourcing the supporting processes gives the organization more time to strengthen their core business process
3.Risk-sharing: one of the most crucial factors determining the outcome of a campaign is risk-analysis. Outsourcing certain components of your business process helps the organization to shift certain responsibilities to the outsourced vendor. Since the outsourced vendor is a specialist, they plan your risk-mitigating factors better
4.Reduced Operational and Recruitment costs: Outsourcing eludes the need to hire individuals in-house; hence recruitment and operational costs can be minimized to a great extent. This is one of the prime advantages of offshore outsourcing
Risks:
1. Risk of exposing confidential data: When an organization outsources HR, Payroll and Recruitment services, it involves a risk if exposing confidential company information to a third-party
2.Synchronizing the deliverables: In case you do not choose a right partner for outsourcing, some of the common problem areas include stretched delivery time frames, sub-standard quality output and inappropriate categorization of responsibilities. At times it is easier to regulate these factors inside an organization rather than with an outsourced partner
3.Hidden costs: Although outsourcing most of the times is cost-effective at times the hidden costs involved in signing a contract while signing a contract across international boundaries may pose a serious threat
4.Lack of customer focus: An outsourced vendor may be catering to the expertise-needs of multiple organizations at a time. In such situations vendors may lack complete focus on your organization’s tasks
Good post, Shizhong,
I think the risk on the quality of the service provide by third party is the most important. If an outsourcer loses a customer because of poor service, it is much less excusable. Of course, the perception of poor service could be misguided, or service expectations may not have been realistic in the first place. However, SLAs between customer and provider generally specify what constitutes acceptable service and what does not. Therefore, a base set of metrics exists against which to measure performance
Explain common SLA issues identified by auditors
A service level agreement (SLA) is defined as a contract between a service provider and
a customer. It details the nature, quality, and scope of the service to be provided. It is also
sometimes referred to as a ‘service level contract’.
Failure to monitor SLAs can lead to problems of accountability when auditing occurs, as
illustrated by an audit undertaken by the City of Dallas city auditor of an SLA between
AT&T and the communication and information services department of the City of Dallas
regarding management and monitoring of their voice and primary data network. The audit
found that due to lack of sufficient data and processes to ensure data collection, AT&T was
unable to show compliance with the terms and conditions of the SLA. Lack of contract
oversight and monitoring by the department was a contributory factor (Office of the City
Auditor, 2007).
Ariana Levinson says
Q: Benefits and Risks of Outsourcing
A:
Benefits: Obviously one of the largest benefits of outsourcing IT services (and really any other kind of services) is the cost savings that can be gained. It is true that work can be done more cheaply elsewhere than in-house or even in-country. It is also saves time and resources (which again eventually turns into financial savings). It’s one less thing to keep track of, to train people on, to maintain, and to worry about. From an audit perspective, it may be one less thing that will need to be audited. In my business we don’t always directly audit outsourced services such as hosting provides. Instead we will review the SOC reports/SSAE16 reports and call it a day. That actually saves us and the business an enormous amount of work and time (which ultimately equals money). It also saves some stress.
Risks:
I think one of the biggest risks from a higher-level perspective is that you are trusting someone else with part of your company. Information that should stay confidential could be disclosed, systems could be breached due to a more lax approach to security and a lack of monitoring over that situation. Also highly worth mentioning are the communication issues. If you’ve outsourced your change management to a company in India but your other IT functions stay in-house, those two teams need to learn how to effectively communicate and work together despite working remotely and from a considerable distance (and time difference) away. There are cultural differences and language barriers that all come into play.
Annamarie Filippone says
Ariana, I agree that a vendor’s security processes should be one of the largest concerns for a company that is outsourcing parts of its business. This is why extensive research before selecting a vendor is crucial. A company should talk to past and present clients to understand their experiences. In addition, if there were security issues in the past, a company should discuss them with the vendor to see what changes have been made after the fact to strengthen security.
Ariana Levinson says
Oh absolutely I agree clients past and current should be interviewed. This process is one looonnnngg job interview for the vendor that would like the contracts and there should be a full list of references provided and a good number of them should be contacted to vet them and their experiences working with the vendor in question.
Tamer Tayea says
Ariana,
Good summary for risks of outsourcing. I would like to add the risk of compliance, as well as issues arising around how to effectively measure SLA performance metrics.
Ariana Levinson says
Oh absolutely. When it comes to outsourcing and compliance, things can get a bit murky. If we’re utilizing a SaaS solution and the vendor is managing the DB and OS layers, how do we audit that? We can’t just go into the vendor’s office and demand all of their records and evidence. My company examines the SOC reports (SSAE16s) put out by our vendors to see what kind of findings were discovered and then we discuss what our next steps will be. If a vendor receives a “qualified” review, it may be time to start looking at someone else to provide services.
Yulun Song says
Nice Post! In addition to the benefits, it also includes risk sharing, reducing operational costs, specialized experts, concentrating on core process rather than the supporting ones, IT resources- sharing!
Shizhong Yang says
Nice Post! I agree with your answers that cultural differences and language barriers could be risks for outsourcing.
Sean Patrick Walsh says
1. What are the benefits and risks of out-sourcing?
Benefits of Outsourcing:
Focus on core competencies
Ease of Scalability
Ease of Deployment
Lower personnel requirement
Save costs from infrastructure and hardware purchases/implementation
Lower costs for utilities
Risks of Outsourcing:
Data Security
Availability
Audit Capability
Regulatory Compliance
Confidentiality
Brou Marie Joelle Alexandra Adje says
Sean, you can also add to the list of benefit : risk sharing. In fact, outsourcing certain components of the business process helps the organization to shift certain responsibilities to the outsourced vendor. Since the outsourced vendor is a specialist, they can even plan the risk-mitigating factors better.
Annamarie Filippone says
This is a great point. While a company should develop its own understanding as to the risks certain processes face, it should also utilize the knowledge a vendor can provide. As an organization that provides similar services to a variety of customers, the vendor can have useful insights regarding risks that were gained through experience, which the company doing the outsourcing may not have.
Fred Zajac says
Alex,
You are right to say the outsource provider should be an expert in the field. In finance, the experts are the people who work with numbers. Their passion is finance, not technology. The expertise and experiences of the outsource provider, good and bad can be used to your advantage. If they have been around and providing the solution for awhile to similar companies, they will have already fixed many of the mistakes they made during the growing pains of the company
Ian M. Johnson says
Sean one Risk of outsourcing that you could add would be that when you outsource, you risk losing touch with your processes and the skills that come with those processes that your company outsourced. One to cope with this risk is to stay involved and learn the techniques that the company you bring in employ to enhance your process.
Sean Patrick Walsh says
I considered adding that, and should have with a couple exceptions. I think many companies outsource functions and processes because they didn’t have the experience needed to do the job themselves, so those businesses would not be “losing touch” with something it never had. Also, some businesses outsource functions and processes simply because they don’t want to waste any resources focusing on anything other than its core competencies. Both cases wouldn’t be missing out on those skills outsourced necessarily. I do think your addition is a great point, and I should have added it originally with those exceptions.
Yulun Song says
Nice Post! In addition to the risks, it also includes dubious accessibility, loss of personal touch, substandard security protocols, risks and exposing confidential data, hidden costs, and lack of customer focus.
Sean Patrick Walsh says
2. What controls can be implemented to mitigate the risks associated with outsourcing?
Detailed and specific Service Level Agreements (SLA’s) can be implemented when contracting 3rd party services. The ability to audit controls, or agreement on a 3rd party external auditor under SOX 404, can provide assurances of controls to the business. Service metrics can be agreed upon to provide concrete availability measurements to ensure service levels are met at all times. Insurance policies can be purchased to provide coverage for any failures with data security that the business is responsible for.
Brou Marie Joelle Alexandra Adje says
Definitely agree on service metrics.
I remember reading that many companies that outsourced parts of their own internal IT to a service provider a number of years ago and have since procured IT services externally, subsequently in many cases find themselves subjectively dissatisfied with the services they receive. Why? because no objective metrics for the quality of the services to be provided have been agreed, or that such metrics could not be agreed due to a lack of historical data.
Sean Patrick Walsh says
That is an interesting predicament. I wonder if they could gather data from vendors through solicitation and figure out how to baseline their own services with the information Vendors would probably have the best metrics and measurements because their business is the industry of supplying services, and because of that they would probably have the best gouge on how to properly measure what they provide. Again, that really is an interesting thought.
Tamer Tayea says
Hi Sean,
The service metrics is good measure of SLA , the challenge is how accurately measure SLA in outsourced environment . Monitoring outsourced services for uptime is mu8ch easier than monitoring service response time.
Yulun Song says
one way we can do is to require vendors to meet security standard and monitor with effective auditing, review and approve business continuity and disaster recovery plans of the vendor. if the vendor is international, we need to increase cultural awareness through specialized trainings to avoid the problems from cultural differences.
Sean Patrick Walsh says
3. Explain common SLA issues identified by auditors
– Key Performance Indicators are not properly identified or set at a proper minimum level
– Control frameworks are not properly specified when required
– Regulatory compliance specifications are not set, or not properly set
– 3rd Party performance level assurance not available
– Penalties not set for under-performance or failure to meet requirements of business
– No right to audit granted to business (may not be granted to businesses that aren’t large source of revenues)
– No right to audit 3rd party service assessments
– No clause prohibiting vendor from using the businesses data for its own purposes
– Non-disclosure clause missing
– Proper review by legal personnel not completed
– No formal policy for vendor selection
– No formal policy for SLA creation, maintenance, and/or updating
Sean Patrick Walsh says
4. Outsourcing and SLA audit questions
– Is a proper policy set for vendor selection?
– Is a proper policy set for creating, maintaining, and updating SLA’s?
– Is the SLA reviewed by legal personnel prior to signing in agreement?
– Is the vendor audited by an external 3rd party independent auditing firm?
– Are results from independent service level assessment available for review?
– Do vendor personnel have access to the business’s internal network?
– How is the business’s data segregated from other companies data?
– Is encryption used for the business’s data at rest, in use, and in motion?
– What physical security processes are in place for where the data is stored?
– What logical security is in place where the data is stored?
– Does the vendor have a DRP and BCP in place? Is it updated?
– Does the vendor carry a current and properly valued insurance policy/bond?
– Does the vendor and SLA stipulate backup procedures?
– Are backups stored onsite or elsewhere?
Yulun Song says
1. What are the benefits and risks of out-sourcing?
Benefits: risk-sharing, reducing operational costs, specialized experts, concentrating on core process rather than the supporting ones, IT resources-sharing
Risks: dubious accessibility, loss of personal touch, substandard security protocols, risk of exposing confidential data, hidden costs, lack of customer focus.
Ian M. Johnson says
Yulun, what do you mean by loss of personal touch? Do you mean loss of personal touch on the product, processes, activities, and workload?
I like how you put risk of exposing confidential data because the company you bring in to take over work may have access to your confidential data. Also, that company could use the expertise they learn from taking over your workload and processes to become a competitor.
Yulun Song says
Thank you for your response Ian. What I am trying to say about loss of personal touch is outsourcing will influence to IT experts because they think they can handle it with familiarizes of the networks or processes they work for.
Jianhui Chen says
Agree with you, but I want to mention that there also have some drawbacks of outsourcing.
firstly, you will lose the managerial control. and there is some hidden cost when some legal issue come up due to the service or product provided by 3rd party. As well, some quality problem would come out.
Yulun Song says
2. What controls can be implemented to mitigate the risks associated with outsourcing?
by mitigating the risks associated with outsourcing, we need to consider a detailed study about vendors including current processes, customer references, rather than blindly believing the track record. Another way we can do is to require vendors to meet security standard and monitor with effective auditing, review and approve business continuity and disaster recovery plans of the vendor. if the vendor is international, we need to increase cultural awareness through specialized trainings to avoid the problems from cultural differences.
https://blogs.oracle.com/sathyan/entry/top_20_risks_in_outsourcing
Brou Marie Joelle Alexandra Adje says
Overall, I think due to the loss of control (real or perceived) when hiring an outsourced IT provider. It is important for businesses to put together an agreed-upon plan with their IT providers ( that the best way to mitigate outsourcing risk in my opinion). the plan can include :
Timelines for meetings
Updates and issues that the provider or business owner(s) might be having.
Any pertinent changes or inabilities with either party to help meet business and operational goals.
Identifying key staff to be in touch with the IT provider(s).
Annamarie Filippone says
In addition to reviewing the vendor’s business continuity and disaster recovery plans, I believe the company doing the outsourcing must also ensure it has its own BC/DR plans. The difference between the two would be that a company’s business continuity and disaster recovery plans would focus on the required course of action if a vendor were to cease operations long-term (or even permanently). While the probability of such a thing is usually low, there is still a chance that a vendor can stop operating due to events unforeseen by one or both parties (e.g. going out of business, environmental disaster, terrorist attack, etc.).
Yulun Song says
4. Outsourcing and SLA audit questions
What service levels will you include in the SLA?
What, exactly, will each service level measure?
How will actual performance be measured?
What will the measurement period be?
What reports will the supplier provide?
How well will the supplier agree to perform?
Will the minimum and expected service levels change over time?
Will the SLA include service-level credits?
Will the supplier have the right to service-level bonuses?
What other options will the customer have in the event of service-level failures?
http://www.outsourcing-center.com/2014-07-ten-key-questions-for-developing-an-effective-service-level-agreement-63376.html
Sean Patrick Walsh says
I like the question you presented in “Will the supplier have the right to service-level bonuses?” Incentivizing the vendor to produce service levels beyond their minimum promised could be very beneficial to a business. The bonuses could even be more business conducted with the vendor as opposed to a traditional bonus of extra money. Even if the bonus levels aren’t hit, or aren’t hit constantly, it may be just the ticket to get a vendor to try and perform even better for a business.
Wenlin Zhou says
What are the benefits and risks of out-sourcing?
Benefits-Save Money
While companies that outsource IT services enjoy many benefits, saving money is one of the most compelling reasons for doing so. Outsourcing helps control capital outlay, especially in the early years of operations. IT services make up fixed costs for companies that do not outsource. Businesses that choose to outsource IT, whether offshore or through a local contractor, convert those fixed expenses to variable ones, freeing up capital for use in other areas. This makes the business more appealing to investors, since the company has more capital to funnel into areas of operations that directly produce revenues.
Risk-Loss of Personal Touch
An in-house network administrator becomes intimately familiar with the eccentricities and unique characteristics of the network he manages. Because of this, he is able to deliver results more efficiently, quickly and personally. IT outsourcing can never provide a personal touch that comes close to that of an in-house IT specialist. Many managers reject the thought of giving this up, even though they can save money by outsourcing.
Yang Li Kang says
Hi Wenlin,
I am on the fence about the risk of loss of personal touch. Usually, the business process that is outsource are the supporting processes. These processes are definitely essential to run the business but are limited on how much “personal touch” can be placed on these units. By outsourcing these processes, companies can focus on their core business process where “personal touch” plays a much bigger factor.
Vu Do says
Wenlin, not sure if I also agree with you on the personal touch for the risk of out-sourcing. It is different and I can see where you are coming from but saving cost is what companies are mostly after and it is true, you can build it in house but that would take tremendous time and will cost the company in all areas. Outsourcing would help reduce those cost and time. I remember working as an Associate App Developer and the company had outsource some of the jobs over to India and that helped a lot with saving them on cost. They were able to provide customer help at all times of the day and while those of us sleep during the night in the U.S., those outsource resources are up working.
Wenlin Zhou says
What controls can be implemented to mitigate the risks associated with outsourcing?
Pick a transparent vendor with proven risk management processes.
There are a large number of vendors out there, and most will claim that they have risk mitigation practices in place. While you’re choosing your strategic partner, make sure to ask them how they have managed similar problems before.
Make sure your entire team knows what outsourcing entails.
Outsourcing is not a quick-fix. It takes time, and while you may have chosen the best vendor in the world, the project is still at risk of failure if your team does not know how to cooperate and communicate with your new team of remote professionals. Make sure the entire team knows what is going on, what outsourcing will bring, and what changes to expect. Offer some training before the outsourcing venture begins. Above all, make sure your entire team is on-board, not just the management.
Use appropriate communication channels.
Even when everyone knows how the outsourcing relationship is likely to proceed, there is a chance that an e-mail will go unread, a memo will be missed etc. There are many communication channels available, e-mail is an obvious one, but incorporate communication through channels such as Skype and GoMeeting. Also make sure to share information by setting up a common VPN or using a custom cloud solution. Pick two or three things that will do best
Resource: http://intetics.com/blog/outsourcing-risk-management-loss-of-visibility-and-control/
Brou Marie Joelle Alexandra Adje says
Wenlin , I like that you mention that companies should ” Pick a transparent vendor with proven risk management processes”. In fact, a way to eliminate some of the risk when hiring an outside IT provider is for a business to do their homework. Most IT provider will claim to ensure high quality, but where’s the proof? Organizations shouldn’t hesitate to speak with at least three-to-five of the IT provider’s clients, current and past. Past clients are especially important to speak with because they have nothing to lose by telling the truth.
Annamarie Filippone says
Wenlin, I really like the second control you mentioned. As with any business relationship, outsourcing success is dependent on the cooperation of both parties. Training for employees on the various issues that can result from outsourcing, such as remote collaboration and cultural differences, should be started before outsourcing begins. This will allow for a smoother transition and can remove some of the obstacles to a good working relationship.
Joshua Tarlow says
Sub-contracting can be another important issue to consider when outsourcing. It would be important to know if and whom the contractor might hire. There may be some areas that are sensitive and would not be appropriate to outsource a second time, or the contractor may not be reliable. It would be important to research and find out any sub-contracting policies.
Wenlin Zhou says
Explain common SLA issues identified by auditors
• Availability and timeliness of services;
• Confidentiality and integrity of data;
• Change control;
• Security standards compliance, including vulnerability and penetration management;
• Business continuity compliance; and
• Help desk support.
http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services/risk-management/contract-issues/service-level-agreements-(slas).aspx
Wenlin Zhou says
Outsourcing and SLA audit questions
• What audit worksheets are going to be used?
• Do you want the auditor to use your standard audit worksheets or are you are open to using theirs?
• What support is needed to monitor and track corrective actions that must be established?
• Will you want the auditor to follow up on corrective actions to verify effectiveness?
http://www.quality-auditing.com/auditing-white-papers/outsourcing-the-internal-audit-process/
Ian M. Johnson says
Wenlin, you could also asks questions involving the quality of the work. Along those same lines, youc ould ask questions involving the benchmarks and goals that the company will reach. If they do not reach those goals, there could be penalties or a cheaper price to pay them. That way you can hold the company to a certain set of standards to the work that they will achieve for you.
Wenlin Zhou says
Of course, I agree with you. some company did not research, so the SLA may hard to achieve their goals. Using the benchmarks and goals can help the SLA more effective. And the penalties can prompt the company to achieve the SLA goals.
Brou Marie Joelle Alexandra Adje says
1) What are the benefits and risks of out-sourcing?
Benefits of outsourcing
• Better revenue realization and enhanced returns on investment
• Lower labor cost and increased realization of economics of scale
• Opportunity for innovation
• Frees management time, enabling companies to focus on core competencies
• Increases speed and the quality of delivery of outsourced activities
• Reduces cash outflow and optimizes resource utilization
The risks of outsourcing
• Possible loss of control over a company’s business processes
• Problems related to quality and turnaround time
• Sluggish response times coupled with slow issue resolutions
• Lower than expected realization of benefits and results
• Issues pertaining to lingual accent variation
Wenlin Zhou says
Good explaining. Organizations use outsourcing as a strategic initiative to improve customer service, quality and reduce costs. Outsourcing can be a permanent or temporary arrangement to bridge the gap in staffing, to learn better quality techniques or improvement of faulty product design.
Brou Marie Joelle Alexandra Adje says
The risks of outsourcing
• Possible loss of control over a company’s business processes
• Problems related to quality and turnaround time
• Sluggish response times coupled with slow issue resolutions
• Issues pertaining to lingual accent variation
Mitigation plan associated with the above risks :
• Well planned milestones, immediate deliverables along with appropriate documentation plan.
• Agreed upon standards and processes must be part of the binding contract.
• Flexible shits to respect time-zones and increased frequency of meetings.
• Increased cultural awareness through specialized trainings
Brou Marie Joelle Alexandra Adje says
Explain common SLA issues identified by auditors
Too Complex. These documents are not usually short and precise in defining the services the supplier provide and the level of service the supplier and their customers agree on.
No measurements. If you do not have the technology and tool sets to track and report the timed-service events by responsiveness and resolution for the various severity level classifications, then SLAs will fail. Without continuous feedback on performance, the loop is incomplete and the SLAs become documents and nothing more.
Unrealistic management expectations. Often management does not acknowledge the amount of time needed to implement service level management, and therefore they do not staff it adequately.
Unrealistic objectives and goals. Frequently, IT management and customers set unrealistic objectives and goals. This usually happens because there were inadequate measurements done prior to implementing the SLA.
Brou Marie Joelle Alexandra Adje says
4. Outsourcing and SLA audit questions
Are management requirements and expectations clearly defined in the contract?
Do policies regarding purchased services, and, in particular, third party vendor relationships exist?
Were vendor selection processes followed?
Do contract reviews and approval processes exist and were they followed?
Were existing contractual impacts considered?
Are customer service levels defined?
Are responsibilities of users and providers defined?
Does the outsourcer have adequate back-up procedures?
Are security requirements clearly defined in the contract?
Yu Ming Keung says
Good questions Alex!
I think all the questions you suggested help the auditors determine the conditions, pros and cons of the SLA. And I especially like the one that asks the back-up procedure of the outsourcer because if they don’t have it, it would be a risk for the company.
Ian M. Johnson says
What controls can be implemented to mitigate the risks associated with outsourcing?
• Adopt a thin-client approach which allows you to mitigate the risk while saying compliant to the Data Protection Act
• For organizations that outsource parts of their business, there is a risk of losing their core skills as they become more reliant on the outsourcing supplier. Keep control and retain influence over what you accomplish by Identifying and retaining your own special core skills and keep control of technical roadmaps and design.
• Carry out your end of the due diligence on site by working with the outsourcing supplier’s people to gain an understanding of their technical and procedural processes, and check the company’s controls are embedded in its processes. Specific control: ask suppliers to sign up to certain standards, levels of vetting for staff, level of physical security, and guarantees about how they run their operations. “occasional site visits at suppliers deemed to be high risk in order to evaluate their security and data protection controls”
• Gain an understanding of their technical and procedural processes and check the company’s controls are embedded in its processes in order to learn how to do what you outsource yourself. This mitigates the risk if something would happen to the company that you outsource the work to. Learn the process to understand where in that process flow something could go wrong, and if any of those steps are outsourced, what role suppliers may play in a failure.
• “Think strategically about their risk appetite for outsourcing certain functions” “Maybe their strategy is that they won’t outsource something because it’s just too risky. That’s a form of mitigation, too.”
• Sources:
• http://www.computerweekly.com/news/2240084219/How-to-mitigate-the-security-risks-of-outsourcing
• http://deloitte.wsj.com/cio/2012/07/10/it-outsourcing-4-serious-risks-and-ways-to-mitigate-them/
Ian M. Johnson says
The Pros of Outsourcing
• Increased revenue and returns on investment
• Lesser labor cost
• Improved realization of economics of scale
• Knowledge base for better innovation
• More management time – enables management to focus on core competencies
• Increases speed and the quality of delivery of outsourced activities
• Reduces cash outflow and optimizes resource utilization
The Cons of Outsourcing
• Possible loss of control over a company’s business processes and activities
• Problems related to quality and turnaround time
• Sluggish response times and at times slow issue resolutions
• Shortcomings in performance
• Lower than expected realization of benefits and results
• Issues pertaining to lingual accent variation
• An irate customer base coupled with enraged employee unions
Source: https://www.flatworldsolutions.com/articles/pros-cons-outsourcing.php
Ian M. Johnson says
Explain common SLA issues identified by auditors
• Availability of service;
• Unrealistic Expectations
• Too complex for general employees
• Resource allocation
• Micro management of agreement
• Process mismanagement
• Change control issues
• Compliance
• Confidentiality and integrity of data;
Ian M. Johnson says
Outsourcing Questions:
1.Am I doing this because I want to simplify my life, or offer the market something new?
2.Am I doing this so I can “focus” on my “core” business?
3.How will this advantage me versus competitors? Would emerging competitors do this?
4.Can competitors do what I’m doing? Can this lead to a price war?
5.How will this make me more competitive in 10 years?
6.How will this make me more connected to markets?
7.How will this make me more flexible to deal with shifting markets, and how will I exploit this flexibility?
8.Am I doing this because I’m desperate to cut costs?
9.What could I be doing instead of outsourcing to be more competitive?
Source: http://www.forbes.com/sites/adamhartung/2010/09/30/outsourcing-right-or-wrong-9-key-questions/#13f8a077d124
Fangzhou Hou says
What are the benefits and risks of out-sourcing?
Benefits of out-sourcing:
First of all, out-sourcing can significantly decrease the cost. For example, if a car manufactory wants to produce a new model of vehicle, it’s not necessary to produce every parts of the vehicle, but outsource some of them to other manufactories. Moreover, this can also save time for the company.
Risks of out-sourcing:
The most significant risk is the information security. Still using the example of the car manufactory, if it decides to outsource some parts of the specific model of vehicle, the company needs to share the designs of those parts to the outsourcers, which means the outsourcers are able to gain the design of the parts of the vehicle.
Fangzhou Hou says
What controls can be implemented to mitigate the risks associated with outsourcing?
Risks:
1. Security breach including confidentiality, IP and trade secrets.
2. Infrastructure breakdown (software/hardware/network failure).
3. Poor selection of vendor.
4. Poorly designed disaster recovery systems/ processes.
Controls:
1. Require vendors to meet security standards and monitor with effective auditing.
2. Consider a detailed study about vendors including current processes, customer references etc.
3. Review and approve business continuity and disaster recovery plans of the vendor. Audit data from simulated disaster drills.
Source: https://blogs.oracle.com/sathyan/entry/top_20_risks_in_outsourcing
Fangzhou Hou says
Explain common SLA issues identified by auditors
A service level agreement (SLA) is defined as a contract between a service provider and a customer. However, things can get confusing when creating an SLA policy if you’re not seeing it work as expected. For example, a newly created SLA policy may not apply to existing tickets, or an updated SLA policy is not applied to tickets already using that SLA. Also, the SLA may has some other issues like:
– SLA applied only to some tickets
– First reply time metric not working
– SLA not paused when ticket status is pending
– Target hours showing incorrectly
Source: http://www.ipa.ie/pdf/ServiceAgreementsReport_2014.pdf
https://support.zendesk.com/hc/en-us/articles/218161007-Troubleshooting-common-issues-with-SLAs
Fangzhou Hou says
Outsourcing and SLA audit questions
– Are management requirements and expectations clearly defined
in the contract?
– Do policies regard purchase services, and, in particular,
third party vendor relationships exist?
– Do clearly defined benefits and business purposes exist to support
the decision to outsource?
– Do contract reviews and approval processes exist and were they
followed?
– Are transition plan, with completed requirements from all affected
Entities, completed?
– Are we compliant to warranty requirements?
– Are customer service levels defined?
– Are responsibilities of users and providers defined?
– Has outsourced function/operation allowed the customer service levels to be maintained or improved?
Source: Outsourcing, Audit program & Internal control questionnaire. www. Isaca.org
Tamer Tayea says
Hi Fangzhou,
Nice recap SLA auditing concerns, however one auditor’s major concern is lack of documenting SLA measurable metrics like availability, performance, response time, location of data, issues resolution process, and other measurable quality of services metrics. Another concern is related to outsourcing vendor’s security practices and compliance with regulatory standards.
Magaly Perez says
What are the benefits and risks of out-sourcing?
The benefits of out-sourcing:
– Fast assistance
– Expertise in that particular subject
– Cheaper (less employees, hardware, space, etc.)
– Focuses on competencies
The risk of out-sourcing:
-Risk sharing
-Substandard Security Protocols
-Out-sourced company’s objects align with companies
-Confidentially
-Accessibility
Yang Li Kang says
You listed risk sharing as a disadvantage of outsourcing. Based on the sources I read, risk sharing is listed as an advantage instead. Outsourcing helps shift certain responsibilities to the outsourced vendor. Since they are specialists, they able to plan risk mitigating factors better. Obviously, this varies based on vendors as some are better than the other but ideally, that should be the case.
Yu Ming Keung says
I agree with you Yang, outsourcing vendors are the experts in the field and they should have the highest security level and plan to mitigate the risks. Companies are basically transferring risks but they should still be responsible for the outsourced functions.
Tamer Tayea says
Nice summary Magaly, I believe the biggest outsourcing risks are SLA and security. There are several issues around managing SLA in outsourced environment including performance metrics , measuring basis for SLA. Security risks are another crucial component due to lack of direct control of enterprise over vendor’s security process.
Wen Ting Lu says
What are the benefits and risks of out-sourcing?
Benefits of out-sourcing
1. SAVE MONEY- I believe the greatest benefit of outsourcing is saving money, no matter which service are company out-sourcing. Outsourcing helps control capital outlay. In addition, outsourcing IT services to a company that specializes in business networks and support will alleviates some of its expense compare with businesses that perform operations internally.
2. FOCUS ON CORE OPERATIONS- Outsourcing allows company’s management to focus their energies on their competencies. It could be stressing when mangers have to split their energies between activities that engage prospective customers and concerns with operations outside of the core business objective.
3. IT RESOURCE SHARING- Outsourcing IT system and service create balance between small firms and large enterprises by sharing the IT resources. Often time small companies might not have the budget or resource that large companies have to implement IT systems and services they need.
Risks of out-sourcing
1. DUBIOUS ACCESSIBILITY- When there is critical system failures, the IT contractor might not be able to devote attention to the issues and resolve them right away. This will lead to loss of productivity and possibly decrease in revenue.
2. LIMIT UNDERSTANDING OF IT SYSTEM/SERVICE- Because the IT System and Service is outsourcing, the administrator is not able to deliver the results of the IT system implemented efficiently. There is lack of “personal touch”.
3. SUBSTANDARD SECURITY PROTOCOLS- Especially for offshore companies run from foreign countries, must confirm that the outsourcing company has strong security protocols. Some foreign country may not have laws to protect its intellectual property or other private data, so one should be very cautious in picking outsourcing company.
Source: http://smallbusiness.chron.com/benefits-vs-risks-outsourcing-services-2504.html
Vu Do says
Wen, I liked your first point for the risk-outsourcing and how its dubious accessibility. When working as an Associate App developer I faced an issue like that. The outsource team had a project sign out and I needed access to it and also needed to know exactly what they have change to it. I couldn’t get in touch with them since they were sleeping since it was a different time zone. My work got delay since the Administrator was not able to sign the project over to me and I could not work on an old copy since the changes the outsource member made might have been needed. So I had to work on something different and it delay my project time because of these issue.
Wen Ting Lu says
What controls can be implemented to mitigate the risks associated with outsourcing?
A: Some controls can be implemented to mitigate the risks associated with outsourcings:
-Research the outsourcing company in details including current processes, whether or not it has laws to protect its intellectual property or other private data (preventive control).
– Have recorded videos, tutorials, web casts to transfer knowledge to preventive inability to capture what outsourcing company has implement for the company (preventive control).
– When doing business with a foreign country, make sure to have some basic understandings of how that country doing business. Learn and increase cultural awareness is very important to avoid issues from cultural difference (preventive control).
– Visit the outsourcing company in timely basis to make sure everything is good in control (detective control).
-Review and approve Business Continuity of the outsourcing company, always have disaster recovery plans (corrective control).
Source: https://blogs.oracle.com/sathyan/entry/top_20_risks_in_outsourcing
Jianhui Chen says
good post, learn a lot from your comments.
The most common view of outsourcing appears to be that the concerns generated by giving up control override any sense of relief at not having the day to-day operational responsibilities. This trend may result from perceptions regarding the different goals and attitudes of internal and external staff towards service, profits, and survival. Clearly much of the concern stems from customers’ suspicions, which may be justified, that the outsourcer does not have the same level of commitment to meeting service requirements as an internal group.
Annamarie Filippone says
Q1. What are the benefits and risks of outsourcing?
Some benefits of outsourcing include:
-Cost savings
-Resource savings
-Access to expertise
-Scalability
-Time zone advantage
Some risks of outsourcing include:
-Decline in product/service quality
-Protection of intellectual property
-Dependence on vendor
-Regulatory/Legal compliance
-Availability of product/service
Annamarie Filippone says
Q2. What controls can be implemented to mitigate the risks associated with outsourcing?
-Research: A company should complete a detailed analysis of potential vendors for outsourcing, having an understanding of their offerings, costs, and history, so it can make an educated decision regarding where it wants to outsource.
-Service Level Agreement: A detailed and specific SLA can set the expectations and ensure that both parties are understanding and agreeing to the same thing. This can reduce quality and legal risks.
-Reviews: Timely and regular reviews of third-party vendors and outsourced operations can help ensure that performance measures are still being met and that a company can still confidently do business with them.
Tamer Tayea says
What are the benefits and risks of out-sourcing?
The benefits of outsourcing are mainly cost savings, potential increased efficiency, in addition to offloading outsourced services to skilled providers.
The outsourcing risks are:
– All the compliance risks the business manages with in-house service will still be managed with outsourcing vendor.
– Outsourced Application/Infrastructure/Network in terms of availability/updates/Security/backup/restore risks
Tamer Tayea says
What controls can be implemented to mitigate the risks associated with outsourcing?
– Establish agreed upon SLA including availability, outage events handling procedure.
– Establish process for regular communication particularly when outsourced application experience availability/security events.
– Establish confidentiality agreement and Non-Disclosure Agreement (NDA) to protect enterprise data handled by outsourcing vendor.
Tamer Tayea says
Explain common SLA issues identified by auditors
– SLA may not clearly document expected availability, performance, response time, location of data, issues resolution process, and other measurable quality of services metrics.
– SLA may not document infrastructure and security standards used by outsourced vendors.
– SLA may not be in line with enterprise business goals.
– SLA may not define all compliance requirements that outsourcing vendors have to comply with, process to communicate yearly compliance updates.
– SLA may not have exit process to move outsourced services to another provider should business decide to move with another vendor.
– How to independently measure SLA for internal reporting as opposed to SLA numbers provided by outsourcing providers.
– SLA may not provide details on governance processes like Change Management, BCP , DRP.
Tamer Tayea says
Outsourcing and SLA audit questions
– Do you have business management expectations defined in SLA agreement?
– Does business have internal policies on how to manage SLA risks?
– Does the outsourcing contract include expected availability, performance, response time, location of data, issues resolution process and other measurable quality of services metrics.
– Were there any transition plan to outsourcing provider and exit process.?
Joshua Tarlow says
What are the benefits and risks of out-sourcing?
Benefits
* Can save money
* Control expenses
* Access to capabilities not internally available
* Focus on core operations
* Use IT resources on closer to business functions
* Access to first rate software/capabilities
* Share risk
Risks
* Loss of business/institutional knowledge
* Accessibility
* May not be ass familiar with system or business
* Substandard security/procedures
* Regulatory compliance
* Sub-contracting
* Some functions cannot be outsourced
Victoria A. Johnson says
The benefits of outsourcing are:
• Increased control of your business
• Increased efficiency and productivity
• Ability to streamline business operations
• More flexible to change
• Reduced operational costs
• IT resource sharing
The risks of outsourcing are:
• Hidden costs, for example, legal costs while signing contracts between companies
• Misunderstanding the contract
• Renewing contracts
• Product or service quality may suffer therefore customer service may be affected
• Transition phase may fail if schedules and budgets are not reached
• Potential redundancies may occur affecting the quality of work by employees
Vu Do says
What are the benefits and risks of out-sourcing?
Benefits
-Cost saving for the company since instead of using their own resources or money to buy equipment, they are outsourcing to an outside company to do it. That way they are saving on storage, equipment, personnel, electricity etc. They are then able to invest that money into something else. Outsourcing companies can provide the service they need and if they outsource to companies overseas then they could be saving a lot more money but also help people in those countries get jobs.
Risks
– Access to companies personal information is a huge risk factor when working with outsourcing companies. Companies are providing information and outsourcing firm employees are able to access information within the company and if there are no measures in places or barriers establish to limit what they are able to get access to, then that could be a huge issue. They would be able to access information and even change information in the system. There is also the risk of leaking personal information about the company early which could cost the company money. Those are some of the risk factors that comes with outsourcing to an outside company.
Yu Ming Keung says
What are the benefits and risks of out-sourcing?
Benefits:
1. Save money, manpower and time
2. Can focus on core operation
3. Swiftness and Expertise
Risks:
1. Risk of exposing confidential data
2. Have to deal with the relationship with the outsourcing partner
3. Lack of expertise in the long term
4. Quality service
Vu Do says
What controls can be implemented to mitigate the risks associated with outsourcing?
Access controls can help mitigate the risk associated with outsourcing. Specifically the access controls that provide users authority to be able to make changes to certain databases. I remember when working as an Associate App Developer I would have to submit a request to access certain databases and it would have to get approved by 4 different managers before I received access. So putting a control like that in place for outsourcing companies will reduce the risk of them getting access to companies personal information. They will get access to what they request and if there are any changes, then you know who had the access and who made the changes so there is a paper trail in place also. This will greatly reduce the risk.
Yu Ming Keung says
What controls can be implemented to mitigate the risks associated with outsourcing?
In case of pool outsourcing vender selection, they company can conduct a detailed study about the vendors about current processes, customer references. They have to select the best quality outsourcing vendors since they are performing important business. Furthermore, data breach may often happen to outsourcing partner, it is especially significant for them to meet the security standards and monitor with effective auditing. Companies should also increase the awareness about region specific laws and regulations to better plan to incompatibilities and allowable trade offs to mitigate legal and regulatory risks.
Yu Ming Keung says
Explain common SLA issues identified by auditors
A service-level agreement (SLA) refers to a contract between a service provider and its internal or external customers that documents what services the provider will furnish and defines the performance standards the provider is obligated to meet.
the issues identified by auditors:
1. Confidentiality, Integrity and availability of service provided by SLA
2. compliance issues
Yang Li Kang says
What are the benefits and risks of out-sourcing?
Outsourcing is the transfer of specific business processes from one organization to another organization specializing in that business process. Most organizations cannot handle all aspects of a business process internally due to lack of expertise or high operating cost. Once the task is outsourced to the service provider, it will take the responsibility of carrying out the tasks and maintaining the business process.
However before outsourcing any component of your business, it is important to understand the advantages and disadvantages of outsourcing.
Benefits:
Expertise – Vendors that provide outsourcing service usually specialize in that field. They have specific equipment and technical expertise that are usually better than the outsourcing organization. This enables them to complete that business process much more effectively, efficiently and at better quality.
Focus on core process rather than supporting process –By outsourcing supporting process, the organization can focus more time and resources on improving their own core business that actually helps raise their revenue.
Risk Sharing – Outsourcing helps shift certain responsibilities to the outsourced vendor. Since they are specialists, they should be able to plan risk mitigating factors better.
Reduced Cost – Operational and recruitment cost can be reduced since the organization does not have to hire and operate in-house.
Disadvantages:
Risk of exposing confidential data – An organization will have to expose confidential company data if the outsourced business process that requires those information.
Potential setbacks – Sometimes, organizations may choose the wrong vendor. This can lead to unsynchronized time frames, low quality output and mix-up in responsibilities.
Lack of customer priority – Often times, outsourcing service vendors have multiple organizations that they cater to at a time. They focus their attention on the bigger clients instead of their smaller ones.
Yang Li Kang says
What controls can be implemented to mitigate the risks associated with outsourcing?
Inadequate outsourcing vendor – Conduct proper research on vendors before selecting an outsourcing partner
Misalignment of process and quality standards – An agreed upon standards and processes must be part of the SLA contract.
Security breach – Require vendor to meet security standard and monitor with effective auditing in SLA
Yang Li Kang says
Explain common SLA issues identified by auditors
– There are no proper Key Performance Indicators so the service provided cannot be monitored or audited.
– There is a lack of control frameworks which expose the organization to threats
– There are no penalties set for under-performance or failure to meet requirements of business
– No agreement of confidentiality that prohibits vendor from using the businesses data for its own purposes or exposing the data.
– Lack of formal policy for SLA updates.
Yang Li Kang says
Outsourcing and SLA audit questions
Does the SLAs adequately evaluate the effectiveness of the services to be delivered by the vendor?
Does the SLA have quantitative and qualitative metrics that measures the effectiveness of the service? Are they reasonable and measurable?
Is there a clearly defined customer service level?
Is there a required level of security control?
Are there penalties for under-performance or failure to meet requirements of business?
Is there a confidentiality agreement?
Is there a formal SLA update policy
Yu Ming Keung says
Outsourcing and SLA audit questions
How will actual performance be measured?
How frequent should we review the outsourcing performance?
What does outsourcing cover?
Cost, risks, time period, working hours, contract terms
Outsourcing vendors and location
Said Ouedraogo says
What are the benefits and risks of out-sourcing?
Benefits:
Expertise
Risk-sharing
Reduce costs
Focus on core competencies
Risks:
Confidentiality
Integrity
Availability
Said Ouedraogo says
What controls can be implemented to mitigate the risks associated with outsourcing?
First of all, the company should research all vendors and choose the one that fit the best to the company. Then, the company should require the vendor to meet security standards and monitor the vendor with effective auditing. It can also review and approve Business Continuity and disaster recovery plans of the vendor.
Fred Zajac says
What are the benefits and risks of out-sourcing? And What controls can be implemented to mitigate the risks associated with outsourcing?
The first thing I would mention is the difference between On-shore outsourcing and off-shore outsourcing. On-shore means the business function is performed in the United States or where the client is located. Off-shore means the function is performed in another country. There are different risks and benefits associated with each and different functions that can be outsourced.
Adesanya Ahmed wrote a whitepaper, Using COBIT to Manage the Benefits, Risks & Security of Outsourcing Cloud Computing.
The benefits listed were: Cost Controls, Improved Productivity, Availability, and Resiliency. The benefits are well known and we hear about companies moving certain functions outside the organization. However, there poses risks that may outweigh the common cost and production benefits.
Risks Include:
Loss of Governance or Control. By outsourcing the function, they are giving control of the process to an outside organization. To mitigate this risk requires full transparency and communication. Documentation on the policies, procedures, responsibilities, and consequences should be available for review.
Compliance: Rules and Regulations are changing to protect consumers from fraudulent actions. Certain industries are governed by industry regulators, who require specific actions and controls to be enforced. Proper procedures should be outlined in the SLA and reviewed with the service provider prior to signing. A right to change the contract should be included in the contract in the event the governing body changes the rules and/or regulations during the terms of the contract.
Data Protection: What is the service provider’s encryption methods? Are penetration tests conducted to pinpoint intrusion areas? Multi-level authentication and enhanced data protection are needed to mitigate these risks.
Provider Selection: The 3 previous risks mentioned all fall on the Provider Selection. This risk is associated with the 3 previous risks. It is important to put out a detailed Request For Proposal (RFP) and allow multiple vendors to bid on the project. The vendors should be directed to the procurement department for proper verification, and to be added to the vendors list. Each proposal should be reviewed and discussed with the vendor to determine if the services needed can be accomplished.
https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fwww.isaca.org%2FKnowledge-Center%2FDocuments%2FUsing-COBIT-to-Manage-the-Benefits-Risks-and-Security-of-Outsourcing-Cloud-Computing.docx
This answer also answers number 2
Fred Zajac says
Explain common SLA issues identified by auditors
Even with all of the “T”s crossed and “i’s” dotted, there are still issues associated with an SLA. ISACA points out a few risk drivers with Service Level Agreements.
1. Failure to meet expectations
a. Both you and the service provider may have every intention to meet the obligations of the SLA, but unforeseen things happened and for whatever reason, the expectations were not met. There should be an “out” clause in the SLA and a documented process on how “the break-up” will work.
2. Inefficient and ineffective use of service delivery resources
a. This reminds me of a cartoon where a hunter is using a B.B. gun to hunt an elephant. You could even use an example of an elephant gun to hunt birds. The service provider may have a great solution for your industry, but if all employees aren’t using the solution, or if it isn’t meeting the requirements, then the SLA is worthless because the solution doesn’t work.
Fred Zajac says
Outsourcing and SLA audit questions
Here are a few questions I would ask.
What industries do you service?
How long have you been in business (Reputation)?
Where are you located or What office will be associated with our company?
What is the response time?
What are your controls (Physical, system, people, ect.)
Do we get a dedicated solution or are we just another client?
And, How much does it cost?
Wen Ting Lu says
Outsourcing and SLA audit questions
-Does the outsourcer have adequate back-up procedures?
-Does the outsourcer have adequate physical access controls and
administration and maintenance?
-Is vendor performance monitored?
-Will the SLA include service-level credits?
-Are billings and payables verified to the contract for validity?
Jianhui Chen says
Good post, One of the main reasons to outsource is the expectation of receiving better service
from the outsourcer than from internal staff. This expectation is often based
on the knowledge that there will be an explicit SLA in place, which can be
enforced by the customer and which might bear remedies against the outsourcer
for nonperformance. While companies are increasingly establishing SLAs for
internal providers, they are often harder to enforce since everyone is a member
of the family.
Paul M. Dooley says
What are the benefits and risks of out-sourcing?
Risks:
Logical IS Security
Total Dependence and Exit Barriers
Legal Consequences
On-time Delivery Performance
Product or Service Quality
Financial stability of Outsourced Vendor
Benefits::
Cost compared to internal resources
Expertise in specific function
Quicker to market vs buiding out a new division or unit
Paul M. Dooley says
What controls can be implemented to mitigate the risks associated with outsourcing?
Contracts
Statement of Work
High Level Monitoring
Connectivity and Network Security
Data Security
Project Monitoring and Governance
Compliance with Regulatory Requirements
Benefit Measurement
Customer Satisfaction
Impact on IT Strategy
Source: Class Presentation
Paul M. Dooley says
Explain common SLA issues identified by auditors
Some common concerns is that outsourcing the project or function may be unrealistic due to a number of issues, including that it is too complex. Additionally unclear measurements of service level agreements and performance against those agreements are defined therefor it is impossible to determine if it is an effective solution. Some additional concerns would be process fraud, prioritization of projects, escalation processes etc.
Source: Class Presentation
Jianhui Chen says
What are the benefits and risks of out-sourcing?
Outsourcing is a practice in which an individual or company performs tasks, provides services or manufactures products for another company — functions that could have been or is usually done in-house. Outsourcing is typically used by companies to save costs.
Benefit:
1. reduce cost/ internal headcount
2. Internal capacity is constrained by increasing market demand makes the company meet the internal manufacturing requirements
3.increase the efficiency When you outsource your business needs to an outsourcing partner, they bring years of experience in business practices and expertise in delivering complex outsourcing projects.
Risks:
1.Logical IS Security
2.Total Dependence and Exit Barriers
3.Legal Consequences
4.On-time delivery performance and end-customer satisfaction levels may decline because of delays at third parties
5.Product or service quality may also suffer in outsourcing, affecting customer satisfaction.
6.The outsourcing transition phase may also fail if schedules and budgets are not achieved because of insufficient planning and/or resources.
7. Providers may not be financially viable, thereby exposing the company to supply interruption risk.
Jianhui Chen says
What controls can be implemented to mitigate the risks associated with outsourcing?
1.Contract
2. Statement of Work (SLA)
3.High Level Monitoring
4.Connectivity and Network Security
5.Data Security
6.Project Monitoring and Governance
7.Compliance with Regulatory Requirements
8. Benefit Measurement
9.Customer Satisfaction
10. Impact on IT Strategy
Jianhui Chen says
Explain common SLA issues identified by auditors
A service level agreement (SLA) is a contract between a service provider (either internal or external) and the end user that defines the level of service expected from the service provider. SLAs are output-based in that their purpose is specifically to define what the customer will receive.
The below shown is the common SLA issues:
1. There are no Key Performance standards so the service cannot be monitored.
2.There is no control frameworks which expose the organization to threats
3. There are no penalties set for failure to meet requirements of business requirement.
4. No agreement of confidentiality that prevent vendor from using the businesses data for its own purposes or exposing the data.
5. Lack of formal policy for SLA updates
Shizhong Yang says
Nice Post! I agree with your answers that lack of formal policy for SLA updates could be a common issue for auditors.
Shizhong Yang says
What are the benefits and risks of out-sourcing?
Outsourcing most commonly known as offshoring has pros and cons to it. Most of the time, the advantages of outsourcing overshadow the disadvantages of outsourcing.
Benefits:
1. Swiftness and Expertise: Most of the times tasks are outsourced to vendors who specialize in their field. The outsourced vendors also have specific equipment and technical expertise, most of the times better than the ones at the outsourcing organization. Effectively the tasks can be completed faster and with better quality output
2.Concentrating on core process rather than the supporting ones: Outsourcing the supporting processes gives the organization more time to strengthen their core business process
3.Risk-sharing: one of the most crucial factors determining the outcome of a campaign is risk-analysis. Outsourcing certain components of your business process helps the organization to shift certain responsibilities to the outsourced vendor. Since the outsourced vendor is a specialist, they plan your risk-mitigating factors better
4.Reduced Operational and Recruitment costs: Outsourcing eludes the need to hire individuals in-house; hence recruitment and operational costs can be minimized to a great extent. This is one of the prime advantages of offshore outsourcing
Risks:
1. Risk of exposing confidential data: When an organization outsources HR, Payroll and Recruitment services, it involves a risk if exposing confidential company information to a third-party
2.Synchronizing the deliverables: In case you do not choose a right partner for outsourcing, some of the common problem areas include stretched delivery time frames, sub-standard quality output and inappropriate categorization of responsibilities. At times it is easier to regulate these factors inside an organization rather than with an outsourced partner
3.Hidden costs: Although outsourcing most of the times is cost-effective at times the hidden costs involved in signing a contract while signing a contract across international boundaries may pose a serious threat
4.Lack of customer focus: An outsourced vendor may be catering to the expertise-needs of multiple organizations at a time. In such situations vendors may lack complete focus on your organization’s tasks
Jianhui Chen says
Good post, Shizhong,
I think the risk on the quality of the service provide by third party is the most important. If an outsourcer loses a customer because of poor service, it is much less excusable. Of course, the perception of poor service could be misguided, or service expectations may not have been realistic in the first place. However, SLAs between customer and provider generally specify what constitutes acceptable service and what does not. Therefore, a base set of metrics exists against which to measure performance
Shizhong Yang says
Explain common SLA issues identified by auditors
A service level agreement (SLA) is defined as a contract between a service provider and
a customer. It details the nature, quality, and scope of the service to be provided. It is also
sometimes referred to as a ‘service level contract’.
Failure to monitor SLAs can lead to problems of accountability when auditing occurs, as
illustrated by an audit undertaken by the City of Dallas city auditor of an SLA between
AT&T and the communication and information services department of the City of Dallas
regarding management and monitoring of their voice and primary data network. The audit
found that due to lack of sufficient data and processes to ensure data collection, AT&T was
unable to show compliance with the terms and conditions of the SLA. Lack of contract
oversight and monitoring by the department was a contributory factor (Office of the City
Auditor, 2007).
Resource: http://www.ipa.ie/pdf/ServiceAgreementsReport_2014.pdf